| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| nfs_des | nfs_des === modified file 'kdc/kerberos5.c' |
Brian May <bam@debian.org> | no | 2017-04-26 | ||
| 021_debian | Debian === modified file 'doc/setup.texi' |
Brian May <bam@debian.org> | no | 2017-04-26 | ||
| 022_openafs | OpenAFS =================================================================== |
Brian May <bam@debian.org> | no | 2017-04-26 | ||
| 025_krb5-config-paths | krb5-config-paths === modified file 'a/tools/krb5-config.in' |
Brian May <bam@debian.org> | no | 2017-04-26 | ||
| 025_pthreads | pthreads === modified file 'cf/pthreads.m4' |
Brian May <bam@debian.org> | no | 2017-04-26 | ||
| 030_pkg-config-paths | pkg-config-paths === modified file 'tools/heimdal-gssapi.pc.in' |
Brian May <bam@debian.org> | no | 2017-04-26 | ||
| installsh | installsh =================================================================== |
Brian May <bam@debian.org> | no | 2017-04-26 | ||
| 041_hurd_maxhostnamelen | hurd_maxhostnamelen | Brian May <bam@debian.org> | no | 2017-04-26 | ||
| 042_hurd_path_max | hurd_path_max | Brian May <bam@debian.org> | no | 2017-04-26 | ||
| 046_hurd_sundevdata | hurd sundevdata | Brian May <bam@debian.org> | no | 2017-04-26 | ||
| 047_link_gssapi | Link Gssapi Link against just build gssapi, instead of the system one this resolves FTBFS when gssapi adds new symbols. |
Dimitri John Ledkov <xnox@ubuntu.com> | no | 2017-04-26 | ||
| 060_no_build_string | No build string Remove hostname and build time from version as they make the build unreproducible |
Jelmer Vernooij <jelmer@debian.org> | no | 2017-04-26 | ||
| parallel-build | Parallel build | Brian May <bam@debian.org> | no | 2017-04-26 | ||
| disable_iprop | Disable iprop | Brian May <bam@debian.org> | no | 2017-04-26 | ||
| canonical_host | Canonical host Disable use of @CANONICAL_HOST@, which is not reproducible. https://github.com/heimdal/heimdal/issues/237 |
Brian May <bam@debian.org> | no | 2017-04-26 | ||
| 0016-Add-back-in-base64_encode-and-base64_decode.patch | Add back in base64_encode and base64_decode These functions were removed upstream. See https://github.com/heimdal/heimdal/issues/107 Unfortunately the SONAME was not incremented for libroken. This could cause breakage. This change reintroduces the old names until the SONAME can be incremented. |
Brian May <brian@linuxpenguins.xyz> | no | 2017-04-26 | ||
| fix-missing-headers | fix-missing-headers =================================================================== |
Brian May <bam@debian.org> | no | 2019-12-16 | ||
| 0018-CVE-2019-14870-Always-lookup-impersonate-client-in-D.patch | CVE-2019-14870: Always lookup impersonate client in DB | Isaac Boukris <iboukris@gmail.com> | no | 2019-11-05 | ||
| 0019-CVE-2019-14870-Apply-forwardable-policy-in-protocol-.patch | CVE-2019-14870: Apply forwardable policy in protocol-transition | Isaac Boukris <iboukris@gmail.com> | no | 2019-11-05 | ||
| 0020-CVE-2019-14870-Validate-client-attributes-in-protoco.patch | CVE-2019-14870: Validate client attributes in protocol-transition | Isaac Boukris <iboukris@gmail.com> | no | 2019-11-07 | ||
| python3.diff | =================================================================== | no | ||||
| CVE-2021-3671-HEIMDAL-kdc-validate-sname-in-TGS-REQ.patch | CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ In tgs_build_reply(), validate the server name in the TGS-REQ is present before dereferencing. [abartlet@samba.org backported from from Heimdal commit 04171147948d0a3636bc6374181926f0fb2ec83a via reference to an earlier patch by Joseph Sutton] |
Luke Howard <lukeh@padl.com> | yes | debian upstream | https://gitlab.com/samba-team/samba/-/commit/0cb4b939f192376bf5e33637863a91a20f74c5a5 | 2021-08-27 |
| Address-GCC-Bug-95189-memcmp-wrongly-stripped-like-s.patch | [PATCH] Address GCC Bug 95189 memcmp wrongly stripped like strcmp As documented in Russell O'Connor's blog, Heimdal when compiled with some versions of gcc 9 and 10 would generate incorrect behaviors from _gssapi_verify_mic_arcfour(), _gssapi_unwrap_arcfour(), _gssapi_unwrap_iov_arcfour() and _gssapi_unwrap_iov_arcfour(). As a result of the bug, code of the form if (memcmp(a, "\x00\x00\x00\x00")) and cmp = memcmp(a, "\x00\x00\x00\x00") will be compiled as if it were written as if (strcmp(a, "\x00\x00\x00\x00")) and cmp = strcmp(a, "\x00\x00\x00\x00") but not if (memcmp(a, "\x00\x00\x00\x00") != 0) and cmp = (memcmp(a, "\x00\x00\x00\x00") != 0) Bad code is generated whenever one of the parameters to memcmp() is a constant with at least one NUL in the first four octets and the return value is used immediated without a boolean comparison. The gcc bug 95189 has since been fixed. This change applies a defensive programming technique to avoid the broken code generation. (cherry picked from commit 02200d55eaf01a3a21d52eccfa7eea02f9e8df72) |
Jeffrey Altman <jaltman@secure-endpoints.com> | no | 2021-11-24 | ||
| Fix-compiler-warnings-and-build-issues.patch | [PATCH] Fix compiler warnings and build issues | Nicolas Williams <nico@twosigma.com> | no | 2021-03-27 | ||
| spnego-CVE-2021-44758-send_reject-when-no-mech-selec.patch | [PATCH] spnego: CVE-2021-44758 send_reject when no mech selected This fixes a DoS where an initial SPNEGO token that has no acceptable mechanisms causes a NULL dereference in acceptors. send_accept() when called with a non-zero 'initial_response' did not handle the case of gssspnego_ctx.preferred_mech_type equal to GSS_C_NO_OID. The failure to handle GSS_C_NO_OID has been present since the initial revision of gssapi/spnego, 2baa7e7d613c26b2b037b368931519a84baec53d but might not have been exercised until later revisions. The introduction of opportunistic token handling in gss_accept_sec_context(), 3c9d3266f47f594a29068c9d629908e7000ac663, introduced two bugs: 1. The optional mechToken field is used unconditionally possibly resulting in a segmentation fault. 2. If use of the opportunistic token is unsuccessful and the mech type list length is one, send_accept() can be called with 'initial_response' true and preferred mech set to GSS_C_NO_OID. b53c90da0890a9cce6f95c552f094ff6d69027bf ("Make error reporting somewhat more correct for SPNEGO") attempted to fix the first issue and increased the likelihood of the second. This change alters the behavior of acceptor_start() so it calls send_reject() when no mechanism was selected. |
Nicolas Williams <nico@twosigma.com> | no | 2022-03-09 | ||
| asn1-CVE-2022-44640-Invalid-free-in-ASN.1-codec.patch | [PATCH] asn1: CVE-2022-44640 Invalid free in ASN.1 codec This is possibly a 10.0 on the Common Vulnerability Scoring System (CVSS) v3. Heimdal's ASN.1 compiler generates code that allows specially crafted DER encodings of CHOICEs to invoke the wrong free function on the decoded structure upon decode error. This is known to impact the Heimdal KDC, leading to an invalid free() of an address partly or wholly under the control of the attacker, in turn leading to a potential remote code execution (RCE) vulnerability. This error affects the DER codec for all CHOICE types used in Heimdal, though not all cases will be exploitable. We have not completed a thorough analysis of all the Heimdal components affected, thus the Kerberos client, the X.509 library, and other parts, may be affected as well. This bug has been in Heimdal since 2005, though only Heimdal 1.6 and up appear to be vulnerable. It was first reported by Douglas Bagnall, though it had been found independently by the Heimdal maintainers via fuzzing a few weeks earlier. While no zero-day exploit is known, such an exploit will likely be available soon after public disclosure. |
Nicolas Williams <nico@twosigma.com> | no | 2021-03-10 | ||
| gsskrb5-CVE-2022-3437-Use-constant-time-memcmp-for-a.patch | [PATCH] gsskrb5: CVE-2022-3437 Use constant-time memcmp() for arcfour unwrap Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 |
Joseph Sutton <josephsutton@catalyst.net.nz> | no | 2022-10-12 | ||
| gsskrb5-CVE-2022-3437-Use-constant-time-memcmp-in-un.patch | [PATCH] gsskrb5: CVE-2022-3437 Use constant-time memcmp() in unwrap_des3() The surrounding checks all use ct_memcmp(), so this one was presumably meant to as well. Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 |
Joseph Sutton <josephsutton@catalyst.net.nz> | no | 2022-10-12 | ||
| gsskrb5-CVE-2022-3437-Don-t-pass-NULL-pointers-to-me.patch | [PATCH] gsskrb5: CVE-2022-3437 Don't pass NULL pointers to memcpy() in DES unwrap Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 |
Joseph Sutton <josephsutton@catalyst.net.nz> | no | 2022-10-12 | ||
| gsskrb5-CVE-2022-3437-Avoid-undefined-behaviour-in-_.patch | [PATCH] gsskrb5: CVE-2022-3437 Avoid undefined behaviour in _gssapi_verify_pad() By decrementing 'pad' only when we know it's safe, we ensure we can't stray backwards past the start of a buffer, which would be undefined behaviour. In the previous version of the loop, 'i' is the number of bytes left to check, and 'pad' is the current byte we're checking. 'pad' was decremented at the end of each loop iteration. If 'i' was 1 (so we checked the final byte), 'pad' could potentially be pointing to the first byte of the input buffer, and the decrement would put it one byte behind the buffer. That would be undefined behaviour. The patch changes it so that 'pad' is the byte we previously checked, which allows us to ensure that we only decrement it when we know we have a byte to check. Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 |
Joseph Sutton <josephsutton@catalyst.net.nz> | no | 2022-08-15 | ||
| gsskrb5-CVE-2022-3437-Check-the-result-of-_gsskrb5_g.patch | [PATCH] gsskrb5: CVE-2022-3437 Check the result of _gsskrb5_get_mech() We should make sure that the result of 'total_len - mech_len' won't overflow, and that we don't memcmp() past the end of the buffer. Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 |
Joseph Sutton <josephsutton@catalyst.net.nz> | no | 2022-08-15 | ||
| gsskrb5-CVE-2022-3437-Check-buffer-length-against-ov.patch | [PATCH] gsskrb5: CVE-2022-3437 Check buffer length against overflow for DES{,3} unwrap Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 |
Joseph Sutton <josephsutton@catalyst.net.nz> | no | 2022-08-15 | ||
| gsskrb5-CVE-2022-3437-Check-for-overflow-in-_gsskrb5.patch | [PATCH] gsskrb5: CVE-2022-3437 Check for overflow in _gsskrb5_get_mech() If len_len is equal to total_len - 1 (i.e. the input consists only of a 0x60 byte and a length), the expression 'total_len - 1 - len_len - 1', used as the 'len' parameter to der_get_length(), will overflow to SIZE_MAX. Then der_get_length() will proceed to read, unconstrained, whatever data follows in memory. Add a check to ensure that doesn't happen. Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 |
Joseph Sutton <josephsutton@catalyst.net.nz> | no | 2022-10-10 | ||
| gsskrb5-CVE-2022-3437-Pass-correct-length-to-_gssapi.patch | [PATCH] gsskrb5: CVE-2022-3437 Pass correct length to _gssapi_verify_pad() We later subtract 8 when calculating the length of the output message buffer. If padlength is excessively high, this calculation can underflow and result in a very large positive value. Now we properly constrain the value of padlength so underflow shouldn't be possible. Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 |
Joseph Sutton <josephsutton@catalyst.net.nz> | no | 2022-10-12 | ||
| krb5-CVE-2022-42898-PAC-parse-integer-overflows.patch | [PATCH] krb5: CVE-2022-42898 PAC parse integer overflows Catch overflows that result from adding PAC_INFO_BUFFER_SIZE. Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15203 |
Joseph Sutton <josephsutton@catalyst.net.nz> | no | 2022-10-25 | ||
| lib-wind-find_normalize-read-past-end-of-array.patch | [PATCH] lib/wind: find_normalize read past end of array find_normalize() can under some circumstances read one element beyond the input array. The contents are discarded immediately without further use. This change prevents the unintended read. (cherry picked from commit 357a38fc7fb582ae73f4b7f4a90a4b0b871b149e) |
Jeffrey Altman <jaltman@secure-endpoints.com> | no | 2021-11-17 | ||
| lib-krb5-fix-_krb5_get_int64-on-32-bit-systems.patch | [PATCH] lib/krb5: fix _krb5_get_int64 on 32-bit systems On systems where 'unsigned long' is 32-bits and the 'size' parameter is set to 8 and the bytes are: 0x78 0x00 0x00 0x00 0x00 0x00 0x00 0x00 When 'i' becomes 4 'v' will be 0 again. As 'unsigned long' is only able to hold 4 bytes. Change the type of 'v' from 'unsigned long' to 'uint64_t' which matches the type of the output parameter 'value'. (cherry picked from commit 9d1bfab9882d0aa14ae0981e6667c93db93ffc5d) |
Stefan Metzmacher <metze@samba.org> | no | 2022-11-16 | ||
| lib-krb5-krb5_pac_parse-mem-leak-if-pac_header_size-.patch | [PATCH] lib/krb5: krb5_pac_parse mem leak if pac_header_size failure 48 byte memory leak from krb5_pac_parse() each time pac_header_size() fails. (cherry picked from commit 02f12fc746341f54a514e9e17bc7d315b91129e8) |
Jeffrey Altman <jaltman@auristor.com> | no | 2022-11-16 | ||
| kdc-Check-generate_pac-return-code.patch | [PATCH] kdc: Check generate_pac() return code If the function fails, we should not issue a ticket missing the PAC. (cherry picked from commit 05e589d2473a1bd225b0fc4670c75ba24091644d) (cherry picked from commit d1e077c50b6b6e6108d70a0301b97f6904c45ca7) |
Joseph Sutton <josephsutton@catalyst.net.nz> | no | 2022-06-16 | ||
| CVE-2022-45142-gsskrb5-fix-accidental-logic-inversio.patch | [PATCH] CVE-2022-45142: gsskrb5: fix accidental logic inversions The referenced commit attempted to fix miscompilations with gcc-9 and gcc-10 by changing `memcmp(...)` to `memcmp(...) != 0`. Unfortunately, it also inverted the result of the comparison in two occasions. This inversion happened during backporting the patch to 7.7.1 and 7.8.0. for arcfour unwrap") |
Helmut Grohne <helmut@subdivi.de> | no | 2023-02-05 |